The Common Criteria certification is a crock in my opinion. Same goes for FIPS and many other software certifications. I completely agree with Bruce Schneier's comment that "no one really understands what a certification means". (You can follow the original post and ensuing debate here: http://www.google.com/sidewiki/entry/jackson.shaw/id/phlOFw-lA4N3-4D29Irgve-yH_c)
These certifications are extremely costly. The ones I have been involved in end up exceeding $100,000 and the certification is valid only for that particular version. In this day and age most software companies are releasing new software versions every 6-8 months. I can't afford to re-certify for every major and minor release.
One of the benefits to software companies was that government agencies were supposedly required to only purchase Common Criteria or FIPS certified products. Guess what? They don't. They get around those requirements pretty easily with all kinds of excuses. So, why should a software company bother?
1 day ago